W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2017


From: Jack (Zhan, Hua Ping) <jackiszhp@gmail.com>
Date: Thu, 12 Oct 2017 06:42:07 +0800
Message-ID: <CAKRyGxugTOQ1t315NQ50TKmHXmDayunyBNjXPXnaGCNZsj0=4A@mail.gmail.com>
To: "public-webapps@w3.org" <public-webapps@w3.org>
> Effectively you want to get rid of the same-origin policy. This isn't going
> to happen because everybody else relies on it working. CORS exists because
> the same-origin policy exists. And the same-origin policy exists to avoid
> exposing side effects and data to third parties for data requests which
> where introduced to the web at a later stage when there was already a large
> volume of existing sites which couldn't all be changed.
> In essence it seems you're not happy with how history went, and you'd like
> the entire world to change all at once so that you can avoid adding a
> perfectly functional http header...
No. I want the old style same origin policy almost unchanged, just relax a bit
Did you read http://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0024.html?

Seems to me you do not get my point, I do not know what is missing for
you not to understand me.
That browser allows http://evil.com/a.html to load
https://bankA.com/ticker/MSFT with the same origin policy does not
compromise the security of https://bankA.com/. If you think the
security of https://bankA.com/LastTransactionOfISISaccount is
compromised, then defeat me please.

Why do I want the browser to serve you a.html? Because many sites they
just did not serve the header you are eager for! There is no point for
me, the manager of https://bankA.com/, to delegate authorization check
to a remote browser.

Jack (Zhan, Hua Ping詹华平)
Received on Wednesday, 11 October 2017 22:42:30 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 9 November 2017 09:59:04 UTC